1. Field of the Invention
This invention pertains in general to computer network security and in particular for testing filtering rules for firewalls and other network security devices.
2. Description of the Related Art
Enterprises, such as companies, government offices, and educational institutions, often filter network traffic for security reasons. Incoming network traffic from the Internet or other external networks is filtered to block email spam, viruses, intrusion attempts, etc. (collectively referred to as “malicious traffic”). Outgoing network traffic is often also filtered for malicious traffic. The filtering is performed by a firewall or other traffic filtering device.
The filtering device blocks traffic according to a set of rules. The rules describe types of traffic that can be encountered by the filtering device and specify whether the traffic is permitted and/or blocked. For example, a simple firewall rule can specify a network port that is closed, thereby blocking all traffic that attempts to use that port. A more complex rule can describe a sequence of values that represent a computer virus or other malicious software, and cause the filtering device to block the traffic that contains the sequence. More sophisticated rules can use heuristics or other techniques to analyze the contents of email message to characterize the messages as legitimate or spam.
The rules often execute autonomously on large volumes of network traffic. Therefore, there is a desire to make the rules as accurate as possible in order to minimize overhead and disruptions. “Accurate” in this context generally means to minimize false positive detections of malicious traffic (i.e., blocking of legitimate traffic), and also minimizing false negative detections (i.e., allowing malicious traffic to pass through the filter). One way to ensure the accuracy of a rule is to test it against a wide variety of real-world traffic. The more traffic a rule is tested against, the more confidence one can have that the rule is accurate.
Enterprises in the business of designing and providing filtering rules, such as security software vendors and the like, may have a hosted infrastructure—or may attempt to work with internet service providers (ISPs)—to receive large samples of real-world network traffic. The enterprises would then test the rules against the real-world traffic before releasing the rules for general use. Even the traffic from an ISP, however, might not be representative of the sort of traffic the rules will encounter when in wide release, meaning that many rules could be improved if tested against a wider variety of traffic. Additionally, smaller enterprises often lack the wherewithal to work with ISPs and test against large volumes of traffic. Thus, a person designing rules for a small enterprise might be forced to test the rules on only that enterprise's traffic, resulting in less confidence that the rules are accurate.
Furthermore, the rules sometimes must be designed and tested very quickly. For example, the security software vendor may need to design and test filtering rules designed to stop a fast-spreading virus before the infection gets out-of-hand. Due to the urgent need to distribute the filtering rules, the software vendor might not be able to test the rules against as much network traffic as it would prefer.
Therefore, there is a need in the art for a way to expand opportunities for testing filtering rules against network traffic.